Docs Azure Generic IPv6 Proxy

Azure Generic IPv6 Proxy

You can find the repository on GitLab.

If you want to support IPv6 for your web application, but your infrastructure only supports IPv4, you can use this self-hosted proxy to accept IPv6 traffic and proxy it to your IPv4-only backend.

It supports HTTP and HTTPS. With HTTPS, it will do TLS passthrough, so it will just forward encrypted data. This proxy cannot read encrypted data, because it does not have the private key of the certificate used. SNI is not supported, so you cannot route to another backend based on hostname.

The proxy VM is an ordinary VM with two IP addresses: one IPv6 (for incoming traffic) and one IPv4 (for communication with the backend). It uses HAProxy.

This module can also create the AAAA DNS record if you host your DNS zone in Azure DNS. Make sure to enable it. If you host your DNS zone somewhere else, make sure you don’t forget to create the record for your domain(s) and point it to the public IPv6 address of this proxy. This module reserves a public IPv6 address and shows that in its output.

This Terraform module is easy to use (see examples/ directory) and will deploy the IPv6 proxy to it can be used like this:

Schematic overview of this IPv6 proxy

If you want to make this solution highly available, consider moving to a VM scale set and adding a TCP IPv6 load balancer in front of that scale set.

Requirements

No requirements.

Providers

Name Version
azurerm n/a

Modules

Name Source Version
networking ./modules/networking n/a
virtual_machine ./modules/virtual-machine n/a

Resources

Name Type
azurerm_resource_group.default resource

Inputs

Name Description Type Default Required
backend_ips The IPv4 addresses of the backend(s). list(string) n/a yes
create_dns_record Create an AAAA DNS record for the proxy. bool false no
dns_name The name (hostname) of the DNS record, can be a wildcard using *. string "" no
dns_zone_name The name of the DNS zone to create the AAAA record in. string "" no
dns_zone_resource_group_name The name of the resource group of the DNS zone to create the AAAA record in. string "" no
location The name of the Azure region to deploy the resources in. string n/a yes
nsg_name The name of the network security group. string "nsg-ipv6-proxy" no
public_ip_zones The zones to use for the public IP addresses. list(number)
[
1,
2,
3
]
no
public_ipv4_address_name The name of the public IPv4 address to reserve. string "pip-ipv6-proxy-ipv4" no
public_ipv6_address_name The name of the public IPv6 address to reserve. string "pip-ipv6-proxy-ipv6" no
resource_group_name The name of the new Azure resource group. string n/a yes
subnet_address_prefixes The private address prefixes of the subnet in the virtual network, including both IPv4 and IPv6. Should be in het subnet address range. IPv6 should be at least of size /64 list(string)
[
“10.0.0.0/24”,
“ace:cab:deca:deed::/64”
]
no
subnet_name The name of the subnet in the virtual network. string "snet-ipv6-proxy" no
vm_name The name of the virtual machine. string "ipv6-proxy" no
vm_size The size for the virtual machine. string "Standard_B1ms" no
vnet_address_space The private address space of the virtual network, including both IPv4 and IPv6. IPv6 should be at least of size /48 list(string)
[
“10.0.0.0/16”,
“ace:cab:deca::/48”
]
no
vnet_name The name of the virtual network. string "vnet-ipv6-proxy" no
whitelisted_ips List of IP addresses (or ranges) that should be able to access the VM over port 22. list(string) n/a no

Outputs

Name Description
public_ipv6_address The public (external) IPv6 address of the proxy. This is the address you should set your AAAA-record to.